Securing WMS services
The security for an ArcGIS Server WMS service is managed by controlling the security of its parent map or image service. If a particular role, for example, Planners, is denied access to a map, Planners will not be able to access the map no matter whether they try to consume it through SOAP, representational state transfer (REST), or OGC (for example, WMS) interfaces. ArcGIS Server supports a number of authentication schemes including HTTP-based authentication (Basic and Digest), Integrated Windows Authentication, and ArcGIS Server managed token-based authentication.
Integrated Windows Authentication
Services that are expected to be accessed through WMS interfaces should be secured using HTTP Basic, HTTP Digest, or Integrated Windows Authentication. Most WMS clients (both Esri and non-Esri clients) will understand and work with these widespread standard authentication schemes.
ArcGIS Server managed token-based authentication
Although not recommended, a WMS service can still be secured using ArcGIS Server managed token-based authentication by using this type of authentication on its parent map or image service. To make raw requests to WMS services protected by a token, you can get a valid token from the token service and append the token string as an extra parameter to the requests you send out. In other words, requests to a token-secured WMS service must use the following format:
https://<WMS_service_url>?<standard WMS parameters>&token=<valid_tokenString>
Most third-party desktop WMS clients will not be able to connect to WMS services secured in this way, but this technique can be used with WMS clients built with ArcGIS API for JavaScript.
WMS services—ArcGIS Server | Documentation for ArcGIS Enterprise
